malwarewikiaorg-20200223-history
ACCDFISA
ACCDFISA, also known as Anti-Porn Locker or ACCDFISA Protection, is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. Payload Transmission Unlike most ransomware, ACCDFISA does not use drive-by or social engineering attacks to infect a system. It is instead installed manually by the attacker himself. The attacker targets Windows systems running the Remote Desktop or Terminal Services, which is usually the case for remotely maintained Windows servers. The attacker uses a ACCDFISA does not use drive-by or social engineering attacks to infect a system. It is instead installed manually by the attacker himself. The attacker targets Windows systems running the Remote Desktop or Terminal Services, which is usually the case for remotely maintained Windows servers. It is installed using a 2-stage installer. Stage 1 consists of a WinRAR SFX archive with a little WinRAR setup script that will unpack the malware files to predetermined locations inside the 32bit Windows system directory (C:WindowsSystem32 or C:WindowsSysWOW64). The second stage is triggered by the WinRAR setup script and executes the various malware components with special command line parameters which will cause the malware components to copy themselves to their intended locations and install themselves properly. Infection It uses the following registry auto start entry to ensure its execution on each reboot: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "svchost"="%PATH_TO_SCREEN_LOCKER%" Once executed it essentially creates and switches over to a new desktop, where it displays its ransom notice. This will effectively prevent the user from using the system, unless the user puts in the correct unlock code, which will cause the screen locker to switch back to the real desktop and terminate. The malicious service will search all connected drives for files that it will either delete or move to encrypted RAR archives using the command line version of WinRAR. To determine which files to delete the malware uses the following rules. It checks if the file path contains the following string. If it does, do not delete the file: bootsect. It checks if the file path contains any these strings. If it does, delete the file: backup, recycle.bin, temp. If the file name ends in any of these extensions. If it does, its delete the following files: .nb7, .dna, .ipd, .stg, .bk1, .fbf, .nba, .nrs, .rrr, .nbf,.rbc, .jbk, .113, .rbf, .nbk, .fbw, .nbs, .nbu, .bkc, .bkf,.log, .bkp, .bks, .bck, .qic, .mig, .oeb, .bcm, .v2i, .001, .sn1, .sn2, .fh, .as4, .abf, .abk, .rdb, .qbb, .qbk, .ful, .bup, .tib, .uci, .ate, .ati, .spf, .spi, .gho, .tbk, .kb2, .bpa, .bpb, .evt, .npf, .bps, .nps, .sbb, .wbb, .bac, .bak To determine which files to move into encrypted RAR archives the following rules are used. It checks if the file path contains any of these strings. If it does, do not move the file into an encrypted RAR archive: iconcache.db, bootsect, windows nt, microsoftrac. nvidia, microsoft.net, mozilla firefox, device stage, windows mail, windows, pure basic, common files, temp, feeds cache, dvd maker, winrar, sample pictures, vmware, windows media, adobe, bootstat.dat, html help, ntuser.dat, chrome It checks if the file path contains any of these strings. If it does, move the file into an encrypted RAR archive: dexis, dentrix.It checks if the file name ends in any of these extensions. If it does, move the file into an encrypted RAR archive: .df1, .v12, .xml, .zip, .3ds, .rar, .dvb, .db, .ahd, .cdb, .gdb, .old, .png, .odb, .ns2, .ns3, .olk, .ns4, .sdb, .wdb, .sdf, .ihx, .ods, .dwf, .dwg, .myd, .doc, .pwa, .eql, .dws, .nsf, .dwt, .rsd, .dp1, .fcd, .lgc, .btr, .dxf, .dxl, .docx, .azz, .ac$, .fdb, .rtf, .arx, .jtx, .txt, .phm, .zdb, .jpeg, .qbw, .his, .ask, .owg, .fid, .bmp, .daf, .eco, .tif, .xlsx, .db2, .db3, .dat, .pan, .atc, .sxg, .edb, .dbc, .dbf, .mdb, .mdf, .qdb, .ads, .udb, .dbs, .dbv, .mud, .dsk, .bok, .psd, .fol, .fp7, .sql, .4dd, .tcx, .dta, .crd, .ora, .qvd, .jpe, .jpg, .crt, .hdb, .pdb, .aft, .xld, .$er, .vhd, .pdf, .sbf, .pdm, .xls, .tdt, .nyf, .bib, .pub, .aws, .fic, .php Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 trojan Category:Win32 Category:Trojan